79eba52d0ce9581d1d5c39c6409aa5a0cb0bf542e1f9912c6f66ad831cd4d12e

Analysis

max time kernel
150s
max time network
125s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
31/12/2023, 04:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

288d838241fbc7b1739dd2185c2fee24.exe
Size

79KB
MD5

288d838241fbc7b1739dd2185c2fee24
SHA1

29323125831cd213907a0a5447d3cb304daa826b
SHA256

79eba52d0ce9581d1d5c39c6409aa5a0cb0bf542e1f9912c6f66ad831cd4d12e
SHA512

a8ca28e4093fb49bc5fb3943c18f4bba14647a58fcdb01438a80caf71b6e1da0ae205c21790034ec4bb11131cecdb961d2e4a2e87400070c4756039aa367d921
SSDEEP

1536:/URkccccccccccccccccccccccccccc/ccccccccccccccccccccccccccc5cccf:/Rccccccccccccccccccccccccccc/cU

Score

8^/10

persistence

Malware Config

Signatures

Adds policy Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\explorer\run	288d838241fbc7b1739dd2185c2fee24.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run\ishost.exe = "ishost.exe"	288d838241fbc7b1739dd2185c2fee24.exe

Executes dropped EXE 1 IoCs

pid	Process
2012	ismon.exe

Loads dropped DLL 2 IoCs

pid	Process
2404	288d838241fbc7b1739dd2185c2fee24.exe
2404	288d838241fbc7b1739dd2185c2fee24.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\ismon.exe	288d838241fbc7b1739dd2185c2fee24.exe
File created	C:\Windows\SysWOW64\components\flx0.dll	288d838241fbc7b1739dd2185c2fee24.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2404	288d838241fbc7b1739dd2185c2fee24.exe
2404	288d838241fbc7b1739dd2185c2fee24.exe
2012	ismon.exe
2404	288d838241fbc7b1739dd2185c2fee24.exe
2012	ismon.exe
2404	288d838241fbc7b1739dd2185c2fee24.exe
2012	ismon.exe
2404	288d838241fbc7b1739dd2185c2fee24.exe
2012	ismon.exe
2404	288d838241fbc7b1739dd2185c2fee24.exe
2404	288d838241fbc7b1739dd2185c2fee24.exe
2012	ismon.exe
2404	288d838241fbc7b1739dd2185c2fee24.exe
2012	ismon.exe
2404	288d838241fbc7b1739dd2185c2fee24.exe
2012	ismon.exe
2404	288d838241fbc7b1739dd2185c2fee24.exe
2404	288d838241fbc7b1739dd2185c2fee24.exe
2012	ismon.exe
2404	288d838241fbc7b1739dd2185c2fee24.exe
2012	ismon.exe
2404	288d838241fbc7b1739dd2185c2fee24.exe
2012	ismon.exe
2404	288d838241fbc7b1739dd2185c2fee24.exe
2404	288d838241fbc7b1739dd2185c2fee24.exe
2012	ismon.exe
2404	288d838241fbc7b1739dd2185c2fee24.exe
2012	ismon.exe
2404	288d838241fbc7b1739dd2185c2fee24.exe
2012	ismon.exe
2404	288d838241fbc7b1739dd2185c2fee24.exe
2404	288d838241fbc7b1739dd2185c2fee24.exe
2012	ismon.exe
2404	288d838241fbc7b1739dd2185c2fee24.exe
2012	ismon.exe
2404	288d838241fbc7b1739dd2185c2fee24.exe
2012	ismon.exe
2404	288d838241fbc7b1739dd2185c2fee24.exe
2012	ismon.exe
2404	288d838241fbc7b1739dd2185c2fee24.exe
2404	288d838241fbc7b1739dd2185c2fee24.exe
2012	ismon.exe
2404	288d838241fbc7b1739dd2185c2fee24.exe
2012	ismon.exe
2404	288d838241fbc7b1739dd2185c2fee24.exe
2012	ismon.exe
2404	288d838241fbc7b1739dd2185c2fee24.exe
2404	288d838241fbc7b1739dd2185c2fee24.exe
2012	ismon.exe
2404	288d838241fbc7b1739dd2185c2fee24.exe
2012	ismon.exe
2404	288d838241fbc7b1739dd2185c2fee24.exe
2012	ismon.exe
2404	288d838241fbc7b1739dd2185c2fee24.exe
2012	ismon.exe
2404	288d838241fbc7b1739dd2185c2fee24.exe
2404	288d838241fbc7b1739dd2185c2fee24.exe
2012	ismon.exe
2404	288d838241fbc7b1739dd2185c2fee24.exe
2012	ismon.exe
2404	288d838241fbc7b1739dd2185c2fee24.exe
2012	ismon.exe
2404	288d838241fbc7b1739dd2185c2fee24.exe
2404	288d838241fbc7b1739dd2185c2fee24.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2404 wrote to memory of 2012	2404	288d838241fbc7b1739dd2185c2fee24.exe	28
PID 2404 wrote to memory of 2012	2404	288d838241fbc7b1739dd2185c2fee24.exe	28
PID 2404 wrote to memory of 2012	2404	288d838241fbc7b1739dd2185c2fee24.exe	28
PID 2404 wrote to memory of 2012	2404	288d838241fbc7b1739dd2185c2fee24.exe	28

C:\Users\Admin\AppData\Local\Temp\288d838241fbc7b1739dd2185c2fee24.exe
"C:\Users\Admin\AppData\Local\Temp\288d838241fbc7b1739dd2185c2fee24.exe"
1⤵
- Adds policy Run key to start application
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2404
- C:\Windows\SysWOW64\ismon.exe
  C:\Windows\system32\ismon.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2012

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Windows\SysWOW64\ismon.exe

Filesize
10KB

MD5
b85e17ef75519f431ae2fa8a46426af7

SHA1
f12d84b0ae64690a1905a4ddcd55d3e7f7713877

SHA256
35c0be9872a16964a1191381dafec4afcc3ef7860bf7f5da8332b5425c15cb3c

SHA512
552b45c9e209839bdaebb07cff8d54e8a12b8b059ee1e595f55b0aa35c4aa079ccd2fe8132806d231530cf280e04e023ec120f42715ff43e077b5932f17db48e

Download Submit